[Click] Problem with IPsecDES

Tue Jun 12 08:04:47 EDT 2007

 Marco,

  If you just need to configure click at runtime e.g. change/or add routing 
table entries etc, write a user-application "configuration" server to do so. 
The click kernel-level version, for instance, exports configuration memory via 
a pseudo file system, which allows you to dynamically edit configuration 
memory (of elements that support this feature). To that end, you can add 
runtime configuration support -also for your elements- that suits your needs.
 The "configuration" server can use SSL/TLS to communicate with the rest of 
your system.
 In my opinion this is the "cleanest" way to integrate click in your project 
and provides you with the ability to use the OS process scheduling properties 
for load balancing.      

 Dimitris

> Hi Yannis,
>
> my project is very complex and maybe a little bit difficult to explain.
> I have to implement a test bed for so called "context-sensitive
> routing". This will consist of a client, a router and so called
> context-servers. The router will route context-specific data between
> client and servers. That means, that the client sends a route request
> with some context data and the router chooses, transparent for the
> client, the services and servers. This functionality is based on AODV
> with context-extension, developed at my university.
> The security functionalities should be implemented between router and
> servers. The servers have to login at the router (required) and transfer
> their data encrypted (not necessarily required).
> Maybe you're right, when you say, that it is unusual to implement
> tunnels at the data plane. But for me it was the easiest way to realize
> the required functionality.
>
> Regards,
> Marco.
>
> Ioannis C Avramopoulos (iavramop at Princeton.EDU) wrote:
> > Marco, are you trying to implement "control plane" or "data plane"
> > functionality? It is not clear from what you're describing. The choice
> > of which secure tunneling technology to use would depend on the
> > answer to that question. TLS is on top of TCP -- implementing TCP
> > tunnels in the data plane of the routers would be, lets say, highly
> > unusual. Yannis
> >
> > ----- Original Message -----
> > From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de>
> > Date: Monday, June 11, 2007 2:22 pm
> > Subject: Re: [Click] Problem with IPsecDES
> > Cc: click at amsterdam.lcs.mit.edu
> >
> >> Hi Yannis,
> >>
> >> the reason, why I prefer TLS over IPsec is, that my tutor said it
> >> maybe
> >> will be the better way.
> >> I have to implement a router, that sends ICMP advertisements (RFC
> >> 1256)
> >> into a subnet of clients. This clients have to do a secure
> >> authorization
> >> at the router, when they receive an advertisement. Furthermore they
> >> have
> >> to send some so called "context data" over an encrypted way to my
> >> router. The clients will be implemented by another person in a
> >> seperate
> >> project, which doesn't use Click. I think it will be hard to do it
> >> with
> >> IPSec, because it's much more complex than TLS.
> >> Maybe you've got a better idea? I'll be open to every proposal.
> >>
> >> Thanks and best regards,
> >> Marco.
> >>
> >> Ioannis C Avramopoulos (iavramop at Princeton.EDU) schrieb:
> >>> Hi Marco,
> >>>
> >>> I am curious what might be the reason that you prefer TLS over
> >>
> >> IPsec.>
> >>
> >>> Yannis
> >>>
> >>> ----- Original Message -----
> >>> From: Marco Wenzel <marco.wenzel at stud.tu-ilmenau.de>
> >>> Date: Friday, June 8, 2007 4:50 am
> >>> Subject: Re: [Click] Problem with IPsecDES
> >>> Cc: click at amsterdam.lcs.mit.edu
> >>>
> >>>> Hi Dimitris,
> >>>>
> >>>> thanks for this explicitly explanation. After reading some more
> >>>> documents about IPSec and playing around with the Click-IPSec
> >>>> elements,
> >>>> I decided, that IPSec is not a suitable encryption-technique for
> >>
> >> my
> >>
> >>>> project.I think SSL/TLS is a better solution for me. Did anyone
> >>>> implement Click
> >>>> elements, which can realize a SSL/TLS connection? After
> >>
> >> searching
> >>
> >>>> in the
> >>>> CVS and the official releases with the additional packages, I
> >>
> >> did
> >>
> >>>> not
> >>>> find any.
> >>>>
> >>>> Best regards,
> >>>> Marco.
> >>>>
> >>>> Dimitris Syrivelis wrote:
> >>>>> Hello,
> >>>>>
> >>>>>   The Documentation on IPsecDES and this particular
> >>
> >> configuration
> >>
> >>>> file
> >>>>
> >>>>> (ipsec-des.click) are outdated because the modules have been
> >>>>
> >>>> recently
> >>>>
> >>>>> revised. Despite that, if this configuration suits your needs
> >>
> >> you
> >>
> >>>> may use
> >>>>
> >>>>> click-1.5.0 release or earlier.
> >>>>>  In the current release click has a Security Association
> >>
> >> Database
> >>
> >>>> and the keys
> >>>>
> >>>>> for encryption and authentication are stored there and are
> >>
> >> passed
> >>
> >>>> to each
> >>>>
> >>>>> IPsec module via the click annotation space mechanism.
> >>>>>  This database (it is a click hashtable) resides in
> >>>>
> >>>> RadixIPsecLookup routing
> >>>>
> >>>>> table module.
> >>>>>   You should check the ipsec-router.click configuration example
> >>>>
> >>>> as well as the
> >>>>
> >>>>> click documentation for IPsec which is here:
> >>>>>     http://www.read.cs.ucla.edu/click/docs/ipsec-doc
> >>>>>
> >>>>>  If you have any questions please post them here because i will
> >>>>
> >>>> use the
> >>>>
> >>>>> feedback to improve documentation.
> >>>>>
> >>>>>  If you will be using commodity PCs to create pairs of IPSec
> >>>>
> >>>> security
> >>>>
> >>>>> gateways, note that you should decrease the Ethernet MTU size
> >>
> >> of
> >>
> >>>> all the
> >>>>
> >>>>> machines that use these gateways to 1400 bytes  because IPsec
> >>
> >> ESP
> >>
> >>>>> encapsulation increases the packet size.
> >>>>>
> >>>>> Dimitris
> >>>>>
> >>>>>> Hello,
> >>>>>>
> >>>>>> in the context of my diploma thesis I want to use the ipsec
> >>>>
> >>>> package to send
> >>>>
> >>>>>> encrypted data over an ethernet network. While trying to play
> >>>>
> >>>> around with
> >>>>
> >>>>>> the example configurations in the "conf" directory I get the
> >>>>
> >>>> following>> errors in usermode:
> >>>>>> # click conf/ipsec-des.click
> >>>>>> conf/ipsec-des.click:11: While configuring 'IPsecDES at 7 ::
> >>>>
> >>>> IPsecDES':>>   too many arguments; expected 'int'
> >>>>
> >>>>>> conf/ipsec-des.click:20: While configuring 'IPsecDES at 16 ::
> >>>>
> >>>> IPsecDES':>>   too many arguments; expected 'int'
> >>>>
> >>>>>> Router could not be initialized!
> >>>>>>
> >>>>>> Corresponding to the element documentation the syntax
> >>
> >> "IPsecDES(1,>>>> 0123456789012345)" and "IPsecDES(0,
> >> 0123456789abcdef)" is
> >>
> >>>> correct. I
> >>>>
> >>>>>> couldn't find any other mistake in the ipsec-des.click
> >>>>
> >>>> configuration.>>
> >>>>
> >>>>>> I'm using the current CVS-version. Click is configured with
> >>>>
> >>>> "./configure>> --disable-linuxmodule --enable-ipsec" and runs
> >>
> >> under
> >>
> >>>> gentoo linux with
> >>>>
> >>>>>> kernel 2.6.19-gentoo-r5. Does anyone have an idea what I'm
> >>
> >> doing
> >>
> >>>> wrong?>>
> >>>>
> >>>>>> Best regards,
> >>>>>> Marco.
>
> _______________________________________________
> click mailing list
> click at amsterdam.lcs.mit.edu
> https://amsterdam.lcs.mit.edu/mailman/listinfo/click

-- 
It is with narrow-souled people as with narrow necked bottles: the less they 
have in them, the more noise they make in pouring it out.

--

Dimitris Syrivelis
Dept of Computer Engineering & Telecommunications ( www.inf.uth.gr )
University of Thessaly 
Volos
Greece
Tel +302421074973